There is pervasive fear of identity theft. Victims spend an
extraordinary amount of time and money recovering from it. The government
is doing something about it, but businesses may not be pleased to hear that
the government's latest action is another unfunded mandate.

New rules concerning identity theft prevention at financial companies go
into effect on Friday
May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as
simple as writing down rules and procedures already in place and having them
certified by the Board.

The rules are about procedures, not about data security, said Tiffany
George, attorney for the division of privacy and identity protection at the
FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of
Fordham University in New York City. "The Red Flags Rule covers what to do
when, despite our best efforts, thieves steal data," she said.

https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iAs new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time
staff, the Red Flags Rule can likely be handled by legal or compliance staff
already in place.

It merely requires that companies have reasonable written policies in
place, that they be certified by the Board, and that they be reviewed
regularly.

Few changes are required because the law is
so flexible. It requires "creditors" to monitor suspicious activity on
"covered accounts."

"Creditors" are any company that has accounts that can be accessed
repeatedly -- a phone company is a creditor but a magazine subscriber with a
term-limited subscription is not.

"Covered accounts" are those designed to permit multiple transactions.

Compliance

Claire Rosenzweig, president and CEO of the metropolitan New York chapter
of the Better Business Bureau (BBB), said that businesses are eager to fight
identity theft as part of their Corporate Social Responsibility (CSR) efforts, but prefer self-regulation to the other kind.

Most businesses said they found it easy to comply. "It fit naturally within our compliance organization," said Orrie Dinstein, chief privacy leader and senior IP counsel at GE Capital, the finance arm of General Electric. "We're a very compliance-driven company. Other companies may have a different culture."

Employees of SUNY were surprised to be subject to the rule and
implementing it was quite complex. SUNY's Gilbertson explained that SUNY is
a very diverse institution.

"We have 64 campuses, and in addition to education, we do things like health care," he said. "We have large research operations like Stonybrook, technical colleges, Liberal Arts schools like Alfred, community colleges, and hospitals," said Gilbertson.

SUNY has one board, not 64, but the board was not accustomed to handling
the day-to-day details of the operations of the various campuses. The board
wrote general guidelines and then each institution provided more specific
guidelines as appropriate, with input from Gilbertson's team.

"We went around to the various campuses. We went to representative
campuses, not to all 64, and provided a template with cut and paste
language. We put in mostly things that we're already doing, but we did get
people talking to each other who weren't before and should have been and are
talking now."

Education and communication is one of the benefits of the rule. "It's an
opportunity for training," said Laura Dishman, privacy and AML associate for
law and compliance at educational savings firm TIAA-CREF.

"Once you get people past the point of being upset about having to do
something that they didn't do before, they realize that there's not much to
change," she added.

Since the act only requires "reasonable precautions" many of the
institutions that complain about being targeted by the act won't find
compliance burdensome because their accounts will be classified as low risk.

While TIAA-CREF has to keep a close eye on activity in people's retirement
accounts, from which identity thieves could withdraw cash, GE Capital can
protect copier leasing plans with a lower level of security as identity
thieves could only use the accounts to order office equipment. GE's
Dinstein added that thieves could use the accounts to make payments for
other people's equipment, but GE saw that as an unlikely eventuality.

Some at the event complained to the FTC that while it treats businesses
reasonably, it provides no protection to consumers. "The consumer cannot
sue a business for having or not having red flags," said the FTC's George.

"Consumers may complain to the FTC, but there will not necessarily be any
investigation," she added.

The rule is jointly enforced by the FTC and by various financial industry
regulators. George said that if the FTC receives a complaint about an
institution over which it does not have jurisdiction, the FTC could pass
that complaint on to the correct regulator.

Loading Comments...

Advertiser Disclosure: Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.